Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits
Depends on Timely Correction of Year-2000 Problems (Testimony, 06/26/97,
GAO/T-AIMD-97-114).

GAO discussed actions being taken by the Veterans Benefits
Administration (VBA) to address the computing challenges faced by
virtually all major organizations, public and private, with the upcoming
change of century.

GAO noted that: (1) as with all other federal agencies, VBA could face
widespread computer systems failures as the year 2000 nears due to the
potential for incorrect information processing; (2) because eligibility
for many of VBA's benefits and services is date-dependent, services
could be seriously disrupted to millions of people; (3) unless systems
changes are made, veterans could receive inaccurate and/or delayed
compensation and pension benefits, receive debt collection letters when
they do not actually owe money, cease to receive vocational
rehabilitation services, receive inaccurate insurance benefits, or have
foreclosure proceedings initiated unnecessarily due to erroneous date
calculations; (4) management decisions relating to impact,
prioritization, and resources, among others, must first be made; (5) GAO
has developed a guide that constitutes a framework that agencies can use
to assess their readiness to achieve year-2000 compliance; (6) the guide
describes in detail the five phases involved in this challenge,
including awareness, assessment, renovation, validation, and
implementation; (7) VBA's information resources management support plan,
issued this past January, states unambiguously that achieving year-2000
compliance is the agency's number one priority; (8) the structure of
VBA's year-2000 program management office needs strengthening, and
technical and managerial issues must be addressed; (9) critical
technical deficiency is VBA's lack of an overall, integrated systems
architecture, or blueprint, to guide and constrain the development of
replacement systems and the evaluation of related information systems;
(10) a second obstacle to VBA's success concerns determining whether VBA
information systems and their components are compliant now; (11) a third
obstacle is that VBA has not developed contingency plans for all of its
critical systems; (12) VBA does not yet have sufficient information
about the costs and risks associated with its year-2000 activities; (13)
reliable assessments of costs and risks are important prerequisites for
effective prioritization of information technology projects; (14) VA's
readiness assessment estimated VBA's year-2000 costs at about $20
million for fiscal years 1996 through 1999; and (15) in light of VBA's
recent decision to make year-2000 changes to its existing systems its
top priority, rather than relying on replacement systems, GAO believes *

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-114
     TITLE:  Veterans Benefits Computer Systems: Uninterrupted Delivery 
             of Benefits Depends on Timely Correction of Year-
             2000 Problems
      DATE:  06/26/97
   SUBJECT:  Veterans benefits
             Systems conversions
             Strategic information systems planning
             Information resources management
             Systems analysis
             Information systems
             Systems design
             Computer software verification and validation
             Application software

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Oversight and Investigations, Committee on
Veterans' Affairs, House of Representatives

For Release on Delivery
Expected at
9:30 a.m.
Thursday,
June 26, 1997

VETERANS BENEFITS COMPUTER SYSTEMS
- UNINTERRUPTED DELIVERY OF
BENEFITS DEPENDS ON TIMELY
CORRECTION OF YEAR-2000 PROBLEMS

Statement of Joel C.  Willemssen
Director, Information Resources Management
Accounting and Information Management Division

GAO/T-AIMD-97-114

GAO/AIMD-97-114T


(511218)


Abbreviations
=============================================================== ABBREV

  CIO - Chief Information Officer
  VA - Department of Veterans Affairs
  VBA - Veterans Benefits Administration

============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss actions being taken by the
Department of Veterans Affairs' (VA) Veterans Benefits Administration
(VBA) to address the computing challenges faced by virtually all
major organizations--public and private--with the upcoming change of
century.  Correct and on-time delivery of benefits and services to
some 10 million American veterans and their dependents will hinge on
how quickly and how well the agency can meet these demands. 

Because readiness for the year 2000 is a critical issue throughout
the government, we have recently added the year-2000 problem to our
list of federal program areas at high risk of vulnerability.\1 As
with all other federal agencies, VBA could face widespread computer
systems failures as the year 2000 nears due to the potential for
incorrect information processing.  This could occur because many
existing computer systems have a two-digit date field, such that the
year 2000 would be represented by "00." However, "00" could also be
read as 1900.  Age and other calculations would be thrown off,
creating havoc as systems attempted to verify eligibility for various
VBA programs.  Because eligibility for many of VBA's benefits and
services is date-dependent, services could be seriously disrupted to
millions of people. 

VBA is aware of these risks and knows it has work to do.  In a report
issued to you, Mr.  Chairman, and being released publicly today, we
detail our findings on VBA's readiness for the change of century.\2
VBA has initiated action to assess its vulnerability and perform the
modifications that must be made to its information systems, but
several substantial risks remain.  If VBA is to avert serious
disruption to its ability to disseminate benefits, it will need to
strengthen its management and oversight of year-2000-related
activities.  Unless the systems that run VBA's programs are modified
correctly and with adequate time for thorough testing, they will not
be prepared to function adequately after December 31, 1999.  The
Department of Veterans Affairs concurred with all 10 of our
recommendations.  If properly carried out, they will help ensure
VBA's success in making its systems year-2000 compliant. 


--------------------
\1 High-Risk Series:  Information Management and Technology
(GAO/HR-97-9, February 1997). 

\2 Veterans Benefits Computer Systems:  Risks of VBA's Year-2000
Efforts (GAO/AIMD-97-79, May 30, 1997). 


   MAKING SYSTEMS READY FOR THE
   YEAR 2000-- A DEADLINE VBA
   CANNOT AFFORD TO MISS
---------------------------------------------------------- Chapter 0:1

There is no question, Mr.  Chairman, that VBA must make its key
information systems year-2000 compliant.  Unless these systems
changes are made, veterans could receive inaccurate and/or delayed
compensation and pension benefits, receive debt collection letters
when they do not actually owe money, cease to receive vocational
rehabilitation services, receive inaccurate insurance benefits, or
have foreclosure proceedings initiated unnecessarily due to erroneous
date calculations.  The financial stress that could accrue to
millions of Americans from incorrect calculations must be avoided. 

At VBA, compensation and pension systems that relate dates to
benefits--such as dates of birth or military service--could be
especially vulnerable to disruption.  To illustrate the potentially
chaotic result of a system unable to tell 2000 from 1900, a veteran
born in 1925 and therefore turning 75 in 2000 could--if the computer
system read "00" as 1900--be seen as negative 25 years old--not even
born yet.  The veteran would likely then be judged ineligible for
benefits he had already been receiving.  While such scenarios would
ultimately be resolved, the ensuing delays could be a hardship for
many. 

Ensuring that information systems are made year-2000 compliant is an
enormous, difficult, and time-consuming challenge.  Perhaps
ironically, however, it is more managerial than technical. 
Scheduling and monitoring are especially important because systems
must continue to work while being changed; the needs of those being
served by these applications are not put on hold while the agency
prepares for the next century.  Consequently, as with all agencies,
VBA's success or failure will reflect the quality of executive
leadership and program management that is brought to bear on this
task.  It will be imperative for top agency management--including the
agency head and the chief information officer, or CIO--to not only be
fully aware of the importance of this undertaking, but to communicate
this awareness and urgency to all agency personnel in such a way that
everyone understands why year-2000 compliance is so important.  The
outcome of this challenge will also be determined by the extent to
which the agency has institutionalized key systems development and
program management practices. 


   STRUCTURED APPROACH, RIGOROUS
   PROGRAM MANAGEMENT REQUIRED
---------------------------------------------------------- Chapter 0:2

Addressing the year-2000 problem is not merely a matter of altering
every computer system and application.  Management decisions relating
to impact, prioritization, and resources, among others, must first be
made:  Which systems are most important?  Can they be converted or
must they be replaced?  Can corrections to any be delayed?  Can any
systems be eliminated because they overlap with others or no longer
serve any useful purpose?  Have sufficient analyses been conducted to
answer these questions?  Do we have adequate financial and personnel
resources?  Must our internal capabilities be upgraded? 

GAO has developed a guide\3 that constitutes a framework that
agencies can use to assess their readiness to achieve year-2000
compliance.  It provides information on the scope of the challenge
and offers a structured approach for reviewing the adequacy of agency
planning and management of its year-2000 program.  An exposure draft
of the guide was released in February; it incorporates guidance and
practices identified by leading information technology organizations. 
We have made copies available to VA and to VBA. 

The guide describes in detail the five phases involved in this
challenge.  Since we see each as critical to a successful year-2000
program, I would like to take a few minutes to briefly discuss them. 

AWARENESS.  While this may seem obvious or unnecessary, we have found
that neither is true.  Agency personnel must get the word--from the
top--as to what this project is all about, and why it matters.  Also
in this stage, the agency team that will attack the problem is
identified, and begins examining potential impacts and developing a
strategy. 

ASSESSMENT.  When everything is a priority, nothing is a priority. 
The emphasis in this phase is on setting realistic priorities--those
based on assessments of the potential risk of systems' not being
year-2000 compliant and the likely impact.  Systems that are
mission-critical--which therefore must be converted or replaced--need
to be distinguished from important ones that should be changed and
marginal ones that could be changed now or deferred.  Such
priority-setting is absolutely essential, and should be undertaken
from a business standpoint:  systems that are integral to the
agency's main function and on which its customers depend should
receive the highest priority.  Testing strategies must also be
devised and contingency plans developed. 

RENOVATION.  This phase deals with actual changes--converting,
replacing, or eliminating selected systems and applications.  In
doing this, it is important to consider the complex interdependencies
among systems, and ensure that changes are consistent agencywide and
that information about all changes is widely disseminated to users. 

VALIDATION.  Here, agencies test, verify, and validate all converted
or replaced systems and applications, ensuring that they perform as
expected.  It is likewise important that testing procedures
themselves be tested, so that agencies can be sure that their results
can be trusted.  This critical phase can extend over a full year, and
may take up to half an agency's funds budgeted for the entire
year-2000 program.  It is, however, necessary--and worth the cost. 
Unless changed systems reliably work as needed, the rest of the
expenditure is wasted. 

IMPLEMENTATION.  Deploying and implementing compliant systems and
components requires extensive integration and acceptance testing. 
And since not all agency systems will be converted or replaced
simultaneously, it may be wise to operate in a parallel-processing
environment for a period of time, running old and new systems
side-by-side.  Such redundancy can act as a fail-safe mechanism until
it is clear that all changed systems are operating correctly. 


--------------------
\3 Year 2000 Computing Crisis:  An Assessment Guide [Exposure Draft]
(GAO/AIMD-10.1.14, February 1997). 


   VBA TODAY:  ENCOURAGING ACTIONS
   INITIATED, BUT SIGNIFICANT
   RISKS REMAIN
---------------------------------------------------------- Chapter 0:3

VBA clearly recognizes that the upcoming change of century poses
serious challenges and began analyzing the problem in 1991.  Its
information resources management support plan, issued this past
January, states unambiguously that achieving year-2000 compliance is
the agency's number one priority.  The agency has developed a
year-2000 charter, which defines a project management organization
and designates a project manager, along with coordinators at each of
VBA's three systems-development centers:  Hines, Illinois; Austin,
Texas; and Philadelphia. 

Initially, the primary focus of VBA's strategy was to attain
compliance by replacing noncompliant systems with new ones.  Its goal
was to have all systems and applications compliant by November 30,
1998, thus allowing over a year for testing and monitoring.  VBA also
developed a contingency plan, for its compensation and pension and
educational assistance payment systems, to ensure continued operation
into the next century should replacement systems not be implemented
in time.  On the basis of concerns we raised regarding VBA's
year-2000 strategy, the agency recently revised it to focus on making
changes to its existing noncompliant systems rather than replacing
them.  Many of these efforts, however, remain unfinished.  Some
important obstacles to success remain, Mr.  Chairman, in the areas of
program management, assessment, contingency planning, and the
handling of noncompliant systems. 

First, the structure of VBA's year-2000 program management office
needs strengthening, and technical and managerial issues must be
addressed.  An agency-level program office must coordinate and manage
the full range of interdependent information systems activities
involved in the year-2000 effort.  Yet, according to VBA's year-2000
project manager, her management functions were limited to conversion
projects for the compensation and pension and educational assistance
payment systems and replacement projects for educational assistance
payment systems.  The functions of VBA's year-2000 project manager
also do not include oversight of locally developed applications used
by the 58 regional offices. 

In commenting on a draft of our report, the Secretary of Veterans
Affairs concurred with our recommendation that VBA strengthen its
year-2000 program management office.  He has stated that VBA's
year-2000 project manager has been relieved of other duties to devote
full attention to year-2000 activities.  VA also has established an
oversight committee to monitor and evaluate the progress of VBA's
year-2000 effort. 

A critical technical deficiency is VBA's lack of an overall,
integrated systems architecture, or blueprint, to guide and constrain
the development of replacement systems and the evolution of related
information systems.  The Clinger-Cohen Act of 1996 requires, among
other provisions, that department-level chief information officers
develop, maintain, and facilitate integrated systems architectures. 
Without such a tool, successful systems integration through common
standards is placed at added risk. 

Specifically, VBA has not yet developed, or has not documented, a
comprehensive analysis of the flow of information among the various
systems; further, it has not yet adequately (1) defined the
interfaces among systems that must share data in order to facilitate
delivery of benefits, (2) defined a security architecture because
sufficient analysis to allow this has not been performed, or (3)
analyzed characteristics or developed standards for measuring
performance.  Also, it is permitting changes to the database and data
elements themselves without insisting on the appropriate quality
assurance steps. 

The Secretary concurred with our recommendation that VBA develop a
complete, integrated systems architecture for its new systems
development activities.  He further stated that VBA is documenting
its systems architecture, information architecture, and data
architecture.  Also, VBA is still developing security services common
to all applications and performance characteristics and standards. 

A second obstacle to VBA's success in being ready for the year 2000
concerns the fact that much work remains in determining whether its
information systems and their components are compliant now.  VBA has
yet to fully assess the severity of its year-2000 problem.  And while
inventories of regional applications and internal/external interfaces
have been started, they are not yet complete. 

According to VBA's December 1996 year-2000 plan, it expected to have
completed all inventories by September 30, 1996.  By that date,
however, inventories had been completed only for software
applications at its three systems development centers.  According to
VBA's January 28, 1997, year-2000 risk assessment, part of the reason
for the delay is the agency's loss of some well-qualified employees
to retirement during recent agency buyouts.  Regardless of the
reason, however, VBA's challenge is more difficult because it has
less time and fewer experienced personnel. 

VBA's February 17, 1997, inventory shows 153 applications, consisting
of over 8,400 modules and over 9 million lines of computer software
code.  VBA determined that 111 of the 153 applications--almost three
quarters--were noncompliant.  Decisions relating to about a third of
these noncompliant applications had not been made as of that date. 

Further, this inventory does not include local applications developed
by regional offices.  While VBA's CIO has requested that regional
offices develop such inventories, he further stated that no regional
applications need be included in the inventory of software
applications because no locally developed applications were
mission-critical.  Yet according to VA's year-2000 readiness review,
without a complete inventory of regionally-developed applications,
VBA cannot adequately predict or plan for the impact of the change of
century. 

The Secretary concurred with our recommendation that VBA perform an
assessment of how its major business areas would be affected if the
year-2000 problem were not corrected in time to help prioritize the
agency's year-2000 activities.  He stated that such an overall
assessment has been completed, and that VBA concluded that all major
business areas would be severely affected.  The Secretary did not
consider it beneficial to spend time developing a detailed analysis
when the general business impact is already known.  We believe,
however, that even when general impact is known, a detailed
assessment provides management with valuable information on which to
prioritize activities, as well as a means of obtaining and
publicizing management commitment and support for necessary
initiatives. 

Regarding VBA's inventory of interfaces, the Secretary stated that
VBA expects to have this inventory completed by June 30.  He stated
that the assessment of interfaces is more complicated because VBA,
like other government agencies, is dependent upon receiving
information from other agencies.  In addition, the newly-established
oversight committee plans to assess whether VBA's program management
office needs to oversee the year-2000 work in the regional offices
and include regional applications in its inventory. 

A third obstacle is that VBA has not developed contingency plans for
all of its critical systems.  Three of its major business areas--loan
guaranty, vocational rehabilitation and counseling, and
insurance--lack contingency plans to ensure continuity of operations. 
We recently learned that such plans are in development for the
loan-guaranty system.  VBA managers realize that they may have to
return to manual processing if critical systems in these major
business areas are not made year-2000 compliant in time. 

In his comments on a draft of our report, the Secretary also
concurred with our recommendation that VBA develop a year-2000
contingency plan for all critical information systems.  He stated
that VBA is addressing the development of contingency plans with each
program manager. 

Fourth, VBA does not yet have sufficient information about the costs
and risks associated with its year-2000 activities.  As a
consequence, it has no basis on which to make decisions about
prioritizing its information technology projects to make the best use
of its two vital resources:  people and money.  Its year-2000
strategy calls for converting most existing systems while
simultaneously continuing to replace its existing benefits payment
systems.  Yet both actions depend upon limited financial and
personnel resources; it may not be able to complete either in time. 

Reliable assessments of costs and risks are important prerequisites
for effective prioritization of information technology projects. 
VA's readiness assessment estimated VBA's year-2000 costs at about
$20 million for fiscal years 1996 through 1999.  This, however, only
included conversion projects, such as those to upgrade the mainframes
and operating systems at the Hines and Philadelphia data centers.  It
did not include costs to replace VBA's aging systems with new,
compliant payment systems. 

The Secretary concurred with our recommendation that VBA assess the
costs, benefits, and risks of competing information technology
projects and prioritize them to make effective use of limited people
and financial resources.  He indicated, however, that this assessment
has been completed.  But in light of VBA's recent decision to make
year-2000 changes to its existing systems its top priority, rather
than relying on replacement systems, we believe that VBA must
reevaluate its cost/benefit and risk assessments under this new
strategy.  The results of this evaluation are especially important,
since in focusing on conversion of noncompliant benefits payment
systems, VBA has decided to exclude only replacement of these
specific systems from its overall year-2000 strategy, rather than
discontinue the overall replacement strategy altogether.  As a
result, VBA's new year-2000 strategy and replacement project effort
continue to be dependent upon limited personnel and financial
resources. 


   STRONG PROGRAM OVERSIGHT
   ESSENTIAL; INVENTORIES AND
   ASSESSMENTS MUST BE COMPLETED
   QUICKLY, ALONG WITH CONVERSIONS
   AND CONTINGENCY PLANS
---------------------------------------------------------- Chapter 0:4

Mr.  Chairman, we all agree that VBA must do whatever it takes to be
year-2000 compliant.  This will not be easy.  Until an inventory and
assessment of its information systems and their components is
completed, it will not be able to make informed choices about the
best use of limited personnel and financial resources.  Once this has
been accomplished, it may be necessary to reallocate resources toward
completing the conversion projects and developing contingency plans
for all critical noncompliant systems.  A stronger program management
office structure and improved technical and managerial capabilities
will be essential ingredients in helping to make this happen. 

Given the serious risks associated with VBA's year-2000 activities,
our report recommends that the Secretary of Veterans Affairs direct
and ensure that VBA's acting undersecretary for benefits, in
conjunction with VBA's CIO, take 10 specific actions to help ensure
the agency's success in making its systems year-2000 compliant before
the change of century.  I have already discussed some of these
recommendations in my testimony today.  In summary, these actions
involve strengthening program management and oversight; developing an
integrated systems architecture; assessing the vulnerability of VBA's
major business areas to failing to achieve systems compliance in
time; completing inventories, analyses, and assessments; developing a
schedule for systems conversion/replacement; and developing critical
contingency plans. 

We discussed our findings with both VA's and VBA's CIOs at the
conclusion of our review.  Not only did they agree with all of our
recommendations, but in addition took quick action to address areas
of concern that we identified.  We were told that VBA is redirecting
its year-2000 strategy to focus on the conversion of existing
benefits payment systems.  Further, VA has established an oversight
committee, comprising a VBA executive, a senior manager from VA's
Office of Information Resources Management, and an independent
contractor, to evaluate VBA's progress in year-2000 readiness.  The
contractor is to report this August, and is to include an action plan
detailing what will be required for VBA to complete software recoding
in December 1998.  As we said in our report, we are encouraged by
these specific steps and we commend the agency both for its
receptivity and speed of response.  We will continue to work with VBA
in evaluating its plans and strategies for accomplishing its goals. 


-------------------------------------------------------- Chapter 0:4.1

Mr.  Chairman, this concludes my statement.  I would be pleased to
respond to any questions that you or other members of the
Subcommittee may have at this time. 


*** End of document. ***